RSA: Enterprise security suffering from information overload

SAN FRANCISCO -- The growth rate of system and software vulnerabilities has tripled in the last 24 months to 60 per month, and new viruses are popping up at a rate of 10 to 15 a month. In the meantime, enterprises are being bombarded with constant alerts from their network protection systems, which generate millions of rows of information in a typical 30-day period. It's enough to make an admin throw in the towel, or at least feed his mouse to a snake. Symantec Security Response senior director Vincent Weafer spoke to SearchSecurity.com at RSA Conference 2003 about the bevy of threats invading enterprises, what companies need to do to combat those threats and what lies ahead.

Is the era of the e-mail worm officially over? No, not entirely. Floppy, boot-sector viruses are essentially gone and the e-mail-only worm is gone. But it has morphed now into the blended threat. You look at many of the most recent worms -- Klez, Magistr, Bugbear -- all of them attacked multiple avenues like open network shares, e-mail, IM [instant messaging]. Propagation is high unless enterprises protect all those vectors. That's...

the challenge, especially with having a lot of mobile workers and business partners with network access. Where does the perimeter end these days? What's the biggest threat to an enterprise? The malicious code writer, cumbersome software patches or the bogged down administrator? It's a combination of all really. The volume of updates an administrator faces is potentially in the hundreds. How do they know which are more important to address? Traditionally, it's been done on a risk-rating system. Match the vulnerability to your assets. Track the risk of an attack. If it can be leveraged against your assets, then it's a liability that needs to be addressed.

Then they have to deal with the stability of fixes and patches. Many administrators would rather wait for a service pack than apply a hotfix to a system or application. It's a safer route. But the question is, do they have enough time to wait for a service pack? That notion that they may have a year or two to get a patch up and running is no longer the case. The challenge is often to get the patch out on multiple systems, servers and, if your enterprise is large enough, your 500,000 desktops worldwide. With recent zero-day exploits, you just don't have that time anymore. Are virus and worm writers still dictating this cat-and-mouse game?
They prey on new technologies, like wireless, like PDAs. They learn from past mistakes and yes, enterprises play catch-up in these areas. Virus writers often use existing exploit technology and continue to exploit what others have had success with. Antivirus technology, meanwhile, is mostly signature-based. But there is behavior-blocking technology and we've had a lot of success against worms using heuristics.

We've seen the motivation factor change for virus and worm writers. Virus and worm writers and hackers used to be two different skill sets. That's no longer the case. They're often using the same skills and using worms, for example, as early reconnaissance for a later attack. If there was one issue or concern that enterprises express over and over, what would you say it is?
For enterprises, it's definitely information overload and manageability. 'They're saying, I'm getting so much information from my IDS and other network logs, I don't know how to manage it.' You cannot silo security. It's not just antivirus, or it's not just intrusion detection or firewalls. I think you'll soon see a trend of consolidation of [firewalls, antivirus, intrusion detection and intrusion prevention] into a single appliance. How many enterprises are actually aware of, or are using, behavior-based defenses?
With technologies like behavior-based antivirus or intrusion prevention systems, it's often an either-or thought. The answer is, however, that it's a combination of characteristics of both that works best. A behavior-based system that can tell an administrator that it has detected an anomaly, and by the way, it has also run a signature against it -- that's the best way to go. Enterprises need the same thing for policies. That kind of flies in the face of the best-of-breed security world.
Enterprises should have the best technology and services. Many companies right now have multiple vendor technologies in their environments. They need to know how to understand it all and make the right decisions. They need the right management system to tie things together. Our researchers said that any given company can have up to 9.5 million security events, and of those, 600 are probably actual attacks and 22 of those, serious breaches of their environment. It's not a needle in a haystack anymore. It's a needle in a pile of needles you find in the haystack.


FOR MORE INFORMATION:

SearchSecurity.com coverage of RSA Conference 2003

SearchSecurity.com news exclusive: "CA exec: Security information overload plagues enterprises"

Best Web Links on security management

 

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close